Skip to main content

Pinpoint APM CVE-2026-57947

| EUVDEUVD-2026-40164 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-29 disclosure@vulncheck.com GHSA-xx75-4fhf-jf2w
6.3
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.5 HIGH

Network-exploitable by low-privileged authenticated users with scope change to internal systems; high confidentiality impact from potential cloud credential harvest via metadata endpoints.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 18:38 vuln.today

DescriptionCVE.org

Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoint that allows authenticated users to register internal URLs due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to issue POST requests to internal hosts and metadata endpoints, enabling unauthorized access to internal network resources.

AnalysisAI

Server-side request forgery in Pinpoint APM through version 3.1.0 allows authenticated users with low privileges to register internal or cloud-metadata URLs as alarm webhook targets due to missing URL validation on the webhook registration endpoint. By deliberately triggering alarm threshold breaches, an attacker can coerce the Pinpoint server to issue outbound POST requests to internal hosts, cloud metadata services (such as AWS IMDS at 169.254.169.254), or other non-routable internal infrastructure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Pinpoint credentials
Delivery
Register alarm webhook pointing to internal metadata URL
Exploit
Trigger alarm threshold breach via application load
Execution
Pinpoint server issues POST to internal target
Persist
Extract response data from logs or error output
Impact
Leverage harvested cloud credentials for lateral movement

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Pinpoint account with at least low-privilege access sufficient to register alarm webhooks - PR:L per the CVSS 4.0 vector confirms this. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.3 understates certain real-world risk dimensions in cloud-hosted environments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a standard authenticated Pinpoint account configures a new alarm webhook pointing to http://169.254.169.254/latest/meta-data/iam/security-credentials/ and sets a low alarm threshold that is easily breached by normal application traffic. When the alarm fires, the Pinpoint server issues a POST request to the AWS metadata endpoint, and the response - containing temporary IAM role credentials - may be logged, stored, or observable through side channels such as error messages or monitoring dashboards accessible to the attacker. …
Remediation The primary remediation is to upgrade Pinpoint to a version beyond 3.1.0 that includes SSRF protection on the webhook registration endpoint; however, no exact patched version number was confirmed in the provided input data - monitor the upstream GitHub issue at https://github.com/pinpoint-apm/pinpoint/issues/13857 for a confirmed fix release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57947 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy